A Client Side Defense against Address Resolution Protocol (ARP) Poisoning George Mason University INFS 612, Spring 2013 Group #3 (C. Blair, N. Eisele, N. Rehman, T. Troy) Topics • Abstract • ARP Introduction • Problem • Related Research Works • Pros / Cons of Other Solutions • Our Proposed Solution • Pseudo-code • Pros / Cons of Our Solution • Summary • Questions? Abstract • ARP Poisoning can cause loss of privacy and security vulnerabilities • Many scholarly works were researched, key weakness were highlighted in their research • Within our constrained scope, our solution to ARP Poisoning overcomes the weaknesses of previously researched solutions ARP Introduction • ARP is used on local Ethernet networks to map an IP address to a MAC address • ARP was first created in the early 80s, intended as an efficient address resolution mechanism (security was not a priority) • Each host maintains their own ARP table which stores IPMAC mapping • ARP communicates using Requests and Replies • ARP Replies are automatically accepted without authentication • ARP Poisoning exploits the processing of ARP Replies Normal ARP Exchange Host A wishes to communicate with Host B Host A ARP cache is checked ARP entry is added ARP request is sent ARP reply is sent Host B Host C ARP entry is added ARP Frame Packet 0 bits 32 Hardware Type Protocol Type Hardware Protocol Opcode (1 for Request, Adr. Len. Adr. Len. 2 for Reply) Src. MAC (bytes 1-4) Src. MAC (bytes 5-6) Src. IP (bytes 1-2) Src. IP (bytes 3-4) Dest. MAC (bytes 1-2) Dest. MAC (bytes 3-6) Dest. IP (bytes 1-4) ARP Cache Table Typical OS X ARP Cache Table Neighbor Linklayer Address Expire(O) Expire(I) Netif 10.37.129.255 ff:ff:ff:ff:ff:ff (none) (none) vnic1 10.211.55.5 0:1c:42:74:3e:48 29s 29s vnic0 10.211.55.255 ff:ff:ff:ff:ff:ff (none) (none) vnic0 192.168.0.1 18:59:33:9d:5c:68 38s 38s en 192.168.0.13 0:90:a9:b4:46:cb expired 10s en1 192.168.0.17 14:d4:fe:f7:e7:e expired expired en1 192.168.0.18 e0:ca:94:f4:63:a7 38s 38s en1 192.168.0.119 6c:33:a9:63:8d:aa expired expired en1 192.168.0.255 ff:ff:ff:ff:ff:ff (none) (none) en1 ARP Poisoning Attacker wishes to intercept traffic to and from host A Classic “Man-in-the-Middle” attack Host A Outbound traffic passes through attacker Router Attacker Inbound traffic also passes through attacker Gratuitous ARP to Host A saying “I am the router” Gratuitous ARP to router saying “I am Host A” Secure Server (Gouda) • Add secure server to Ethernet • Add Invite-Accept and Request-Reply protocols • Protocols use: Timeouts to counter message loss Shared secrets to counter message modification Nonces to counter message replays • Cons: Requires adding an additional secure server and backup server Requires two additional protocols Additional communication traffic Permanent entries are restrictive Enhanced ARP with Trusted Authority (Hammouda and Trablesi) Host A Host B Registers with Router using unique 10 byte “fingerprint” If accepted, stores IP-MAC-fingerprint information, replies with hash Sends ARP request for Host B with fingerprint fragment Creates ARP Traffic database entry Router with ARP Request information • Accept: Store IP-MAC-Fingerprint information Verification ReplyRequest Accepted with fingerprint hash • Reject: Fingerprint already in use A’s request entry, If ok, notifies B, removes Reply Rejected, Host must resend and adds an entry for B’s reply • Drop: IP already registered Sends ARP Reply Drop Request, most likely spoof Sends Verification Request, Router removes B’s reply entry and responds Adds Host B’s MAC Address to cache Our Proposed Solution • Assumptions: 1. Unsecured LAN 2. Network must use DHCP 3. DHCP Server resides on Internet Gateway box • Constraints: 1. Can not modify Protocol 2. Can not modify any external machine (host or router) Our Proposed Solution DHCP Message Format 1. Process begins at startup or user initiation. 2. Listens for a network connection and captures all DHCP traffic from Port 68. 3. If packet is a DHCP Reply, extract the IP and MAC address for own machine and IP address for gateway. 4. Additionally extract gateway MAC address from sender’s frame source hardware address field. 5. Delete own ARP cache. 6. Make static entry in ARP cache with extracted information. 7. Initiate a gratuitous ARP Reply containing own information at set intervals (default = 500 ms). Our Proposed Solution //call init() on host start up or manually. init() { boolean DHCPframeFound=false ; Frame cFrame = new frame(); while(networkInterfaceExists) { while(!DHCPframeFound) { cFrame.cDHCP = UDPpacket_listener(port 68); if (cDHCP.isDHCP_reply) { System.delete_ARPtable(); System.addARP(STATIC, cDHCP.getGtwyIP(),cFrame.getGtwyMAC()); PacketTimer arpM = create_message_repeater(500); arpM.sendGratuitousARP(NetIface.IP, NetIface.MAC); DHCPframeFound=true ; } } } } Pros & Cons Pros: •No additional hardware needed. •No administrative costs. •Theoretically easy to develop and distribute. •Minimal computer resources required. •Scalable. Cons: •Can only be used in a DHCP network. •Requires DHCP server on the same machine as internet gateway. •Extra network traffic. •Does not secure peer-to-peer communication. •Gateway may not allow gratuitous ARP. • A race condition could exist if an attacker continuously attempts to poison the internet gateway’s cache with the host’s IP and the attacker’s MAC. Summary • ARP was designed to be efficient. • Our solution overcomes the weaknesses of other solutions while preserving the original efficiency. Questions